Firewalls: Re: IP addresses behind a firewall.

Firewalls
(August 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: IP addresses behind a firewall.
From:	The Supreme Commander <msingh @ pg . com>
Date:	Mon, 14 Aug 1995 11:43:21 -0400 (EDT)
To:	rick @ TIS . COM (Rick Murphy)
Cc:	william_wong @ dsi . bc . ca, firewalls @ GreatCircle . COM
In-reply-to:	<9508130304 . AA26668 @ tis . com> from "Rick Murphy" at Aug 12, 95 11:04:17 pm

> > A while ago, I heard people were using their own IP addresses (non INTERNIC
> >approve) behind their firewall. Could somebody tell me how this can be done
[snip]

> Many firewalls translate internal addresses to the address of the firewall.
[snip]

> Side effects are that you can't get to the *real* hosts that appear to be
> local to you - for example, if you're using network 20.1.1.*, you can't talk
> to any host in the registered 20.1.1 domain since they appear to be local
> to your network.

The ony work around to this is to install a seond machine internal to
your network as a port bouncer. For instance:

Let's say you are using internal network addresses of 139.134.0.0,
132.154.0.0 and 131.122.0.0.

Normally you wouldn't be able to get to those networks on the PI since
they are actual internal network addresses. However, if you configure
as follows:

Machine A is on internal network # 10.0.0.0 host address: 10.1.1.100
Firewall machine is on legal network: 199.23.44.0 host: 199.23.44.100

Network 10.0.0.0 is designated as a private network address that won't
be in use on the PI. Users on your internal networks open telnet
sessions to: 10.1.1.100 which bounces over to the firewall. Static
route all traffic from 199.23.44.100 to the PI except for 10.0.0.0
which will point back to your internal network. (All traffic will
really simply flow back to 10.1.1.100)

To the firewall, all connections appear to originate from
10.1.1.100. That's the only network it thinks is behind it. In
reality, the 10.1.1.100 host knows about all the "real" networks
behind it and can route traffic appropriately.

More resources are eaten up, but until some router vendors implement
Network Address Translator's or NAT's, it's the only real solution to
using your existing illegal address space while allowing a complete 
connection to the PI.



				...Manjit

---------------------------------------------------------------------
The Supreme Commander wishes you a Supreme day.
I'm a Magic Man, oooh, I got the magic hands, yeah...
Don't mind me, I'm just attempting to dock.
---------------------------------------------------------------------

References:

Re: IP addresses behind a firewall.
From: Rick Murphy <rick @ TIS . COM>

Indexed By Date	Previous:	Australian Encryption Report From: Brien Wheeler <bwheeler @ raptor . com>
Indexed By Date	Next:	Re: SunOS vs Solaris 2 vs Intel/BSD for firewalls From: mdr @ vodka . sse . att . com
Indexed By Thread	Previous:	Re: IP addresses behind a firewall. From: Rick Murphy <rick @ TIS . COM>
Indexed By Thread	Next:	Re: IP addresses behind a firewall. From: afoss @ translation . com (Andrew Foss)